In a week where online security and privacy has been front and center, with changes announced by both Apple and Google to better protect billions of users, we also now have a shift in the opposite direction. The security of our messaging is already under serious threat from lawmakers intent on breaking the encryption we all now rely on, and that threat has just intensified.
Announcing plans “to end the use of warrant-proof encryption that shields criminal activity,” U.S. senators Lindsey Graham Tom Cotton and Marsha Blackburn introduced the Lawful Access to Encrypted Data Act on June 23. The “reliance” on encryption has turned tech platforms into “lawless playground of criminal activity,” Cotton said, with “criminals from child predators to terrorists taking full advantage.”
This latest assault on encryption builds on the proposed “EARN IT Act,” also put forward by Graham alongside fellow senator Richard Blumenthal. The two proposals take the same approach to piercing the defense tech players have built around their encryption. Neither bill specifically mandates encryption to be broken, but both require tech platforms to assist law enforcement to prevent or investigate criminal activity. And, in essence, that’s the same thing.
“Once a warrant is obtained,” the senators explain, “device manufacturers and service providers [would be required] to assist law enforcement with accessing encrypted data if assistance would aid in the execution of the warrant.” The bill also enforces companies to report on their compliance. There would be an appeal process and compensation of costs incurred—but end-to-end encryption would be broken.
The EARN IT Act seeks the same outcome through different means. That would remove the Section 230 protection the tech platforms rely on as a defense against legal responsibility for the content transmitted over their platforms. By making the companies legally responsible, the bill would force some form of monitoring that, again, would need to break encryption in order to work.
This intent by lawmakers to break end-to-end encryption, where the companies themselves do not hold copies of encryption keys and so cannot intercept message content, has been described by EFF as “a major threat… an attack on online speech and security—the privacy and security of all users will suffer if U.S. law enforcement achieves its dream of breaking encryption.”
Facebook would be more impacted than any other tech player—with its flagship messaging platform WhatsApp far and away the biggest advocate and supplier of end-to-end message encryption worldwide. But Facebook also plans to add the additional security to its other products, including Facebook Messenger, with its huge user base.
Facebook issued a strongly worded response to the new proposals, describing end-to-end encryption as “a necessity in modern life—protecting billions of messages sent every day on many apps and services,” and warning that “rolling back this vital protection will make us all less safe, not more. We are committed to continuing to work with law enforcement and fighting abuse while preserving the ability for all Americans to communicate privately and securely.”
Apple’s iMessage would need to change its security to comply with the new proposals, as would Google’s reported plans to add end-to-end encryption into forthcoming RCS deployments. In all, the security of billions of users would be impacted. And, in reality, the issue is not in the U.S. but elsewhere in the world. The strongest argument against these proposals is that any backdoor becomes a weakness that will inevitably be exploitable by bad actors. That might be criminals, but it will certainly be regimes where encryption protects activists, lawyers, dissidents and reporters.
Last year, Facebook’s Mark Zuckerberg predicted “the future of communication will shift to private, encrypted services where people can be confident what they say to each other stays secure.” It’s not looking quite so clear cut as it seemed back then.
U.S. Attorney General William P. Barr, who has often argued for the introduction of backdoors into end-to-end encryption, welcomed the new proposal. In a statement, Barr said this “will allow law enforcement to further provide for the safety and security of the American people… Data security and public safety are not mutually exclusive. Encryption should keep us safe and secure, not provide an impenetrable safe haven for predators, terrorists, and criminals.”